Understanding Access Level Summaries Within Policy Summaries
Policy summaries include an access level summary that describes the actions defined for each service that is mentioned in the policy. To learn about policy summaries, see Understanding Policy Summaries in the AWS Management Console.
The following example describes the access provided by a policy for five services. For examples of full JSON policy documents and their related summaries, see Examples of Policy Summaries.
|Service||Access level||This policy provides:|
|IAM||Full access||Access to all actions with
|CloudWatch||Full: List||Access to all CloudWatch actions in the
|Data Pipeline||Limited: List, Read||Access to at least one but not all AWS Data Pipeline actions in the
|EC2||Full: List, Read Limited: Write||Access to all Amazon EC2
|S3||Full: List, Read Limited: Write, Permissions management||Access to all Amazon S3
As previously mentioned, within the access level element of the policy summary, Full access indicates that the policy provides access to all the actions within the service. Policies that provide access to some but not all actions within a service are further grouped according to the access level classification. This is indicated by one or both of the following access-level groupings:
Full: The policy provides access to all actions within the specified access level classification.
Limited: The policy provides access to one or more but not all actions within the specified access level classification.
Access level summaries that include such partial access to actions are grouped using the following access level classifications:
List: Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource. For example, the Amazon S3 action
ListBuckethas the List access level.
Read: Permission to read but not edit the contents and attributes of resources in the service. For example, the Amazon S3 actions
GetBucketLocationhave the Read access level.
Write: Permission to create, delete, or modify resources in the service. For example, the Amazon S3 actions
PutObjecthave the Write access level.
Permissions management: Permission to grant or modify resource permissions in the service. For example, most IAM and AWS Organizations actions, as well as actions like the Amazon S3 actions
DeleteBucketPolicyhave the Permissions management access level.
To improve the security of your AWS account, restrict or regularly monitor policies that have the Permissions management access level classification.